Skip to content

1,652 malicious images found on Docker Hub

  • by
  • 3 min read

An analysis of over 250,000 Linux images hosted on Docker Hub by researchers over at Sysdig has revealed 1,652 malicious containers hosted in Docker Hub repositories. The analysis focussed only on publicly posted images and did not include official and verified images. 

Docker Hub is a cloud-based container library that allows people to search for and post Docker images — templates allow for the quick and easy creation of containers with ready-to-use code and applications. 

Like other code repositories like GitHub or PyPI, threat actors use this to their advantage to create images or repositories that resemble legitimate ones to trick unsuspecting users into downloading a malicious image. This isn’t an isolated issue with code repositories either; threat actors often abuse programs like Discord to host malicious software as well. 

Sysdig reports that crypto mining images lead the way with 608 malicious images, followed by Embedded secrets at 281 and Proxy avoidance images at 266. The full breakdown of malicious images by type of malicious content is as follows:

  • Crypto mining — 608
  • Embedded secrets — 281
  • Proxy avoidance — 266
  • Newly registered domains — 134
  • Malicious websites — 129
  • Hacking — 38
  • Dynamic DNS — 33
  • Other — 288

While seeing crypto mining malware at the top of the list isn’t surprising, embedded secret images pose a difficult challenge. Secrets like SSH or API keys embedded in an image can allow a threat actor to gain access once the container is deployed. This can either be caused by bad coding practices from the developer or can be intentionally done by the threat actor themselves. 

In the News: Google releases security update for the 8th zero-day in 2022

Different embedded secret types in the images discovered by Sysdig. | Source: Sysdig

As mentioned, many of these images are also named after legitimate packages to trick users into downloading them, a practice known as typosquatting. The two images below containing the XMRig miner tool by an author named ‘vibersastra’ have been downloaded over 16,900 times. 

The two malicious images have over 16,900 downloads on Docker Hub. | Source: Sysdig

In 2022, nearly 61% of all images pulled from Docker Hub came from these public repositories. This is a 15% rise from last year, which means as more users start using images from Docker Hub, more people are at risk of being compromised by a malicious image.

Additionally, most threat actors are only uploading a few malicious images. This ensures that the platform’s overall threat perception doesn’t change significantly even if the image is removed or the author is banned.

In the News: Review: Maono WM821 dual wireless microphone system

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here:

Exit mobile version